CVE-2024-44246: 
Apple Safari vulnerability analysis and mitigation

CVE-2024-44246 is a security vulnerability affecting Apple's Safari browser and related operating systems, discovered by Jacob Braun. The vulnerability was disclosed and patched on December 11, 2024, affecting Safari 18.2, macOS Sequoia 15.2, iOS 18.2, iPadOS 18.2, and iPadOS 17.7.3. The issue specifically impacts devices with Private Relay enabled, where adding a website to Safari's Reading List could potentially expose the user's original IP address to the website (Apple Support).

The vulnerability is related to the routing of Safari-originated requests when using Private Relay, a privacy feature designed to mask users' IP addresses. The issue received a CVSS 3.1 Base Score of 5.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N from NIST NVD, indicating a network-accessible vulnerability with low attack complexity and no privileges required. CISA-ADP assessed it with a slightly lower score of 4.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N (NVD).

When exploited, this vulnerability could compromise user privacy by revealing the original IP address of users who have Private Relay enabled. This effectively bypasses the privacy protection that Private Relay is designed to provide, potentially exposing users' true network location when they add websites to their Safari Reading List (Apple Support).

Apple has addressed this vulnerability by improving the routing of Safari-originated requests in the following software updates: Safari 18.2, macOS Sequoia 15.2, iOS 18.2, iPadOS 18.2, and iPadOS 17.7.3. Users are advised to update their devices to these versions to protect against this privacy leak (Apple Support).